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© Undeniable signature systems. 

© Cryptographic methods and apparatus for for- 
ming, checking, blinding, and unwinding of undeni- 
able signatures are' disclosed. The validity of such 
signatures is based on public keys and they are 
formed by a signed party with access to a cor- 
responding private key, much as with public key 
digital signatures. A difference is that whereas public 
key digital signatures can be checked by anyone 
using the corresponding public key, the validity of 
undeniable signatures is in general checked by a 
protocol conducted between a checking party and 
the signing party. During such a protocol, the signing 
party may improperly try to deny the validity of a 
valid signature, but the checking party will be able to 
detect this with substantially high probability. In case 
the signing party is not improperly performing the 
protocol, the checking party is further able to deter- 
mine with high probability wether or not the signa- 
ture validly corresponds to the intended message 
and public key. Blinding can be used while obtaining 
undeniable signatures, while providing them to other 
parties, and while checking their validity. 



Xerox Copy Centre 



1 EP 0 318 097 A1 2 

UNDENIABLE SIGNATURE SYSTEMS 



BACKGROUND OF THE INVENTION 



1 . Field of the Invention. 

This invention relates to cryptographic sys- 
tems, and more specifically to multiparty authen- 
tication systems like public key digital signatures. 



2. Description of Prior Art. 

The concept of a "public key" is well known in 
the art. To form such a key, a secret seed is first 
chosen, typically at random from some suitable 
distribution. This secret seed is then used as the 
input to a public key creating algorithm. The result- 
ing public key need not be kept secret; because of 
the "one-way" nature of the creating algorithm, 
deriving the secret seed from the public key is 
thought to be infeasible. 

An often necessary aspect of public keys is 
their authenticity. There may be many users of a 
particular public key, and each must be ensured 
that they have its true value. If a bogus value were 
to be accepted as authentic by a particular user, 
then that user's security might be violated by the 
bogus key's creator. An example solution to this 
problem, which is often suggested, is to publish 
and widely distribute a directory of public keys. 

An important use of public keys is for public 
key digital signatures, which are called "digital sig- 
natures" here for clarity. The message to be 
signed by a digital signature is represented as a 
number. The digital signature itself is also a num- 
ber. It is formed from the message by a signing 
algorithm which uses a private key derived from 
the secret seed. A digital signature can be checked 
as corresponding to a particular message and pub- 
lic key combination, by applying a checking al- 
gorithm. Because the corresponding private key is 
thought to be needed in forming digital signatures, 
they are thought to be resistant to forgery. 

One inherent property of digital signatures is 
that they can be checked by anyone knowing the 
corresponding public key. Thus, if you were to give 
a digital signature to someone, then they could 
show it to anyone else. Not only would each per- 
son seeing the signature be able to check it, but 
they could in turn supply it to others, who could 
also check and distribute it. Whereas this might be 
an advantage in some applications, it could be 
undesirable in others. For example, the issuer may 



wish to retain some monitorability or control over 
the showing of signatures. 

The first really practical digital signature sys- 
tem was disclosed by Rivest, Shamir and Adleman 
5 in "A method tor obtaining digital signatures and 
public-Key cryptosystems," Communications of the 
ACM, Vol. 21, No. 2, February 1978. This so called 
RSA system remains probably the best known and 
most widely used for digital signatures. One of its 

/o drawbacks, however, is that its public key creating 
algorithm requires quite a substantial amount of 
computation compared to that required to form its 
digital signatures. Like most successful public key 
systems devised to date, RSA is partly based on 

75 the "discrete log" problem: all of its arithmetic is 
done in a finite group where given the representa- 
tion of an element and a large power of that ele- 
ment, it is thought to be infeasible to discover what 
the power is. In essence, RSA and its cousins 

20 require that the order of the group be known only 
to the signer, which imposes a significant restric- 
tion on the group, making suitable groups difficult 
to find and also requiring a single group per signer. 
RSA does, however, allow blind signatures, as 

25 described in European Patent Publication 0139313, 
dated 2/5/85, claiming priority on U.S. Serial Num- 
ber 524896, titled "Blind signature systems," by 
the present applicant. These first disclosed blind 
signatures required computation during blinding to 

30 anticipate all possible signature types. This 
amounted to more than a single multiply per signa- 
ture type anticipated. The so called "unanticipated 
blind signatures" require only a fixed amount of 
computation during blinding to anticipate an unlim- 

35 ited number of kinds of signatures that might po- 
tentially be applied by a signer. Such systems 
were described in European Patent Publication 
0218305, dated 4/15/87, claiming priority on U.S. 
Serial Number 784999, titled "Unanticipated blind 

40 signature systems," also by the present applicant. 
A remaining difficulty with the exemplary embodi- 
ments of both schemes, however, is that the signer 
must be fixed at the time of blinding and cannot be 
changed, even for so called "re-blinding. n 

45 The other widely accepted digital signature 

scheme was disclosed by EIGamal in "A public 
key cryptosystem and a signature scheme based 
on discrete logarithms," Advances in Cryptology: 
Proceedings of CRYPTO 84, G.R. Blakley and D. 

50 Chaum Eds., Springer-Verlag, 1985. Whereas it is 
also discrete-log based, it does not require that the 
order of the group be kept secret, but does require 
that the order be known to all signers using the 
same group. Its public key creation algorithm is 
essentially as fast as its signing algorithm, but blind 
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signatures have not been constructed based on 
these EIGamal signatures. 



FIG. 6 shows a combination block and func- 
tional diagram of an exemplary unanticipated sig- 
nature system including blinding for signatures and 
challenges and also re-blinding, all in accordance 
with the teachings of the present invention. 



BRIEF SUMMARY OF THE INVENTION 



In accordance with these and other objects of 
the present invention, a brief summary of an exem- 
plary embodiment will now be presented. Some 
simplifications and omissions may be made in this 
brief summary, which is intended only to highlight 
and introduce some aspects of the invention, but 
not to limit its scope. Detailed descriptions of pre- 
ferred exemplary embodiments adequate to allow 
those of ordinary skill in the art to make and use 
the inventive concepts are provided later. 

An undeniable signature is verified by a cryp- 
tographic protocol conducted between the checker 
and the signer. In overview, the protocol of the 
exemplary embodiments consist of a challenge 
number formed by the checker and given to the 
signer, followed by a response number returned by 
the signer. After the exchange of this challenge and 
response, the checker performs a checking proce- 
dure. The inputs to the procedure are the response 
from the signer as well as the suitably-chosen 
random values used by the checker in forming the 
challenge. If the procedure's result is positive, then 
the checker has high certainty that the signature is 
valid, and consequently the verification of the sig- 
nature can be regarded as completed. 

If, on the other hand, the procedure's result is 
negative, the checker may wish to distinguish be- 
tween two cases: (a) the signature is not valid; or 
(b) the signer is responding improperly to chal- 
lenges, presumably in an effort to falsely deny a 
valid signature. The checker can learn which of the 
two cases applies--in spite of the signer's efforts to 
mislead the checker-by a further round of chal- 
lenge and response. The second challenge and 
response can be formed in the same way as the 
first ones were, but both sets of independent ran- 
dom choices and both responses allow the check- 
er's second procedure to determine which case 
above, (a) or (b), holds. The pair of challenges and 
corresponding responses may be thought of as in 
effect allowing the checker to learn whether the 
signer is answering consistently or not. 

A simple example of these protocols and the 
checking procedures will now be described based 
on the multiplicative group having prime order p, 
with primitive element g, both of which could be 
used by every signer. (The fact that the order of 
the group is prime and public is used in this simple 



OBJECTS OF THE INVENTION 



Accordingly, it is an object of the present in- 
vention to provide a signature scheme that can 
require consent of the signer each time a signature 10 
is checked. 

Another object of the present invention is to 
allow public key creation algorithms having a com- 
putational requirement comparable to that of sign- 
ing. 75 

A further object of the present invention is to 
allow a kind of blind signature in which blinding 
does not have to anticipate the type of signature 
nor who the signer will be. 

Yet another object of the present invention is to 20 
allow signature schemes based on discrete log in 
groups for which nobody need know the order of 
the group, and for which there may be no harm if 
anyone learns it. 

Still another object of the present invention is 25 
to allow efficient, economical, and practical appara- 
tus and methods fulfilling the other objects of the 
invention. 

Other objects, features, and advantages of the 
present invention will be appreciated when the 30 
present description and appended claims are read 
in conjunction with the drawing figures. 



BRIEF DESCRIPTION OF THE DRAWING FIG- 
URES 



FIG. 1 shows a flowchart of a preferred em- 
bodiment of a combination public key creating and 40 
undeniable signature forming protocol in accor- 
dance with the teachings of the present invention. 

FIG. 2 shows a flowchart of a preferred em- 
bodiment of a first exemplary undeniable signature 
checking protocol in accordance with the teachings 45 
of the present invention. 

FIG. 3 shows a flowchart of a preferred em- 
bodiment of a second alternate exemplary undeni- 
able signature checking protocol in accordance 
with the teachings of the present invention. so 

FIG. 4 shows a flowchart of a preferred em- 
bodiment of an exponential blinding and a cor- 
responding re-blinding protocol in accordance with 
the teachings of the present invention. 

FIG. 5 shows a flowchart of a preferred em- 55 
bodiment of an unanticipated signature blinding 
and a corresponding re-blinding protocol in accor- 
dance with the teachings of the present invention. 
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embodiment, but are pot necessary in general.) 
Consider a particular signer S, checker V, message 
m, private key x, public key g\ and signature z 
that should equal m*. The first challenge is of the 
form ^g** where a and b are chosen by the 
signer independently and uniformly from the inter- 
val 1 to p. The signer's response should be the 
result of raising the challenge to the power y, 
where y is the multiplicative inverse of x modulo p. 
Thus the signer responds with /T^g 6 , which V can 
readily construct for comparison. If the comparands 
are equal, then V is believed to know that with 
probability 1-p- 1 the signature is valid. 

If the comparands are unequal, however, V 
may still wish to know if the signature z is Invalid 
or if S is trying to improperly deny it; so the 
protocol is repeated with independently chosenc 
and d instead of a and d, respectively. Then V 
uses the two responses n and r 2 to test whether 
(r,g- b JF = fog-*?. If the equality holds, it is 
believed that S is answering consistently and that z 
is not a valid signature, with the same high prob- 
ability as for signature validity; otherwise, S is 
answering improperly. 



GENERAL DESCRIPTION 



Turning now to Fig. 6, general descriptions of 
the interconection and cooperation of the constitu- 
ent parts of some exemplary embodiments of the 
present invention will first be presented. 

The signing party 601 includes two transforma- 
tions, signer 602 and responder 603, both of which 
depend on the secret seed value created by ran- 
dom generator 604. The initial output of a public 
key message (message [10] in Fig. 1, to be de- 
scribed) is not shown here for clarity and also 
because in some embodiments, like the preferred 
embodiments to be presented, a distinguished pub- 
lic key is not needed, since any undeniable signa- 
ture (together with its corresponding unsigned mes- 
sage) can serve as such a public key, as will be 
obvious those of ordinary skill in the art. 

When the provider 605 provides an original 
message for signing, it may first optionally be 
blinding by blinder 606, which depends on random 
generator 607. before being Input to signer 602, 
already mentioned. The signed output of signer 
602 is then input to optional unblinder 608, which 
also depends on random generator 607, and which 
is used only when optional blinder 606 has been 
used. The output of unblinder 608 is then returned 
to provider 605. 

Optionally, both the signed and unsigned mes- 
sage are individually blinded by blinder 609, de- 
pending on random source 610, before they are 



provided as input to a part of checking party 611 
which is shown as challenger 612. Challenger 612 
is dependent on random generator 613, also shown 
as part of checking party 611, and provides its 

s challenge message(s) optionally to blinder 614, 
which depends on random source 615. The output 
of the optional blinder 614 is input to responder 
603, which depends on random source 604 as 
already mentioned, and responder 603 provides its 

to output to unblinder 616, which is used only when 
blinder 614 has been used and also depends on 
the random source 615. Then unblinder 616 pro- 
vides its output to tester 617, a final part of check- 
ing party 611, responsive to random source 613 

15 already mentioned and to challenger 612, and 
which produces the final three valued output 
(indicating whether the undeniable signature is val- 
id, the signature is invalid, or the response is 
improper). 

20 The relation of the parts of Fig. 6, just de- 

scribed, to those of Fig. 1 through Fig. 5, which are 
to be described in detail later, will now be briefly 
described for completeness. Signer 602 of signing 
party 601 is shown as box 103, and also as box 

25 402 or 502 when optional blinding 606 is used. 
When blinding 402 or 502 are used, then unwin- 
ding 607 is shown in box 403 and 503, respec- 
tively. The optional blinding of signed and unsigned 
messages before they are used in the protocols of 

30 Fig. 2 or Fig. 3 is shown as performed by blinder 
609. This blinder produces a blinded and unblinded 
message pair, as already mentioned, which is 
shown in box 404 and 504, depending on wether 
the blinding of Fig. 4 or that of Fig. 5 is used, 

35 respectively. The challenger 612 and tester 617. 
both depending on random source 613 as men- 
tioned, are both either of the type shown in Fig. 2 
or that shown in Rg. 3. In the case of Rg. 2. 
challenger 612 is shown in both boxes 201 and 

40 204; in the case of Rg. 3, it is in boxes 301 
(supported by 303) and 306 (supported by box 
308). Then one or more related challenges may 
optionally be blinded by blinder 614. which as 
mentioned is responsive to random source 615. 

45 such blinding being as shown in box 401 or box 
501. Then responder 603 transforms each chal- 
lenge, responsive to the output of random source 
604 already mentioned, using the same choice of 
Fig. 2 or Fig. 3 used by the challenger 612 and 

so tester 617 as already mentioned. For Rg. 2, the 
responses are shown formed in box 202 and 205; 
for Rg. 3 they are formed in boxes 302 combined 
with 304 and in 307 combined with 309. These 
responses are unblinded by optional unblinder 616, 

55 only when optional blinder 614 has been used as 
mentioned. Rnally, the tester 617, responsive to 
random source 613 as mentioned, checks the re- 
sponses using the same choice of Fig. 2 or Rg. 3 
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as described previously for challenger 612 and 
responder 603. For Rg. 2, the checking is shown 
spanning boxes 203 and 206; for Rg. 3, it is shown 
in boxes 305 and 310. The results of these tests 
determine the output of the tester 617. 

As will be appreciated, the blinding of blinder 
606 and its corresponding unbiinding by blinder 
608 will be used or not used as a whole; similarly 
for that of 614 and 616; and the blinding of the 
signed and unsigned message pairs by blinder 609 
may be omitted or kept in its entirety. When the 
such optional blinding and possibly unbiinding is 
omitted, the blinding and unbiinding operations 
shown are transparent and just pass their Inputs 
through without change to their outputs, as might 
also happen if certain values are produced by the 
random sources involved. 

General descriptions of the functions of some 
constituent parts in accordance with the teachings 
of the present invention will now be presented. 

Rrst it should be mentioned that all the lines in 
Rg. 1-6 imply the transfer of messages. These 
may be held initially or delayed on their way. 
encoded and decoded cryptographically or other- 
wise to provide their authenticity and/or secrecy 
and/or error detection and/or error recovery. Thus 
the particular means or methods whereby mes- 
sages are transferred are not essential to the 
present invention, and it is anticipated that any 
technique may be employed in this regard. The 
lines may for example be taken to represent com- 
munication means, in which case they might be 
realized in a variety of exemplary ways including 
as conductive paths, fibre optic links, or paths 
through a packet switched network; also suitable 
drivers, modems, or other appropriate interfaces 
may be required at the ends of such lines, as are 
well known in the art. Alternatively, the lines may 
be taken to stand for a message transfer step. 

In Rg. 6, signing party 601 and checking party 
611 are each shown as a collection of parts includ- 
ing two transformations and a random source. As 
will be described in detail later, Rg. 1-5 also show 
parties as a collection of flowchart boxes forming a 
vertical column. The term "party" is used herein to 
indicate an entity with control over at least the 
secrecy of some information, usually at least one 
key. It is anticipated that a plurality of people may 
each know all or part of some key, and they might 
be thought of collectively as a party. In other 
cases, a key may be substantially unknown to 
people, and reside in some physical device, and 
then the device itself or those who control it from 
time to time may be regarded as parties. Thus the 
parties denoted by single boxes or collections of 
boxes might sometimes be regarded as agents 
who perform a step or a collection of steps in a 
protocol. They might also be regarded as means 



for performing those steps and might be comprised 
of any suitable configuration of digital logic cir- 
cuitry. For example, any box or collection of boxes 
from the figures could be realized by hard-wired 

5 and dedicated combinatorial logic, or by some sort 
of suitably programmed machine, a microprocessor 
for instance, such as are well known to those of 
skill In the art, just so long as it is able to perform 
the storage, input/output and transformational steps 

10 (possibly apart from the random source functions) 
described by the corresponding box or boxes. 

Random sources 604, 607, 610, 613. and 615 
of Rg. 6 and the uses of the word "random" shown 
in Rg. 1-5 indicate the function of creating a value 

75 that should not be readily determined by at least 
some party. Many means and methods are known 
in the art for generating such unpredictable quan- 
tities, often called keys. Some are based on phys- 
ical phenomena, such as noise in semiconductors, 

20 or patterns detected in humans pushing buttons, or 
possibly deterministic cryptographic techniques 
sometimes called pseudorandom generators. It is 
well known in the art that these various techniques 
can often be combined, and that post-processing 

25 can often improve the results. 

Again referring to Rg. 6, the function of some 
constituent parts is continued. 

Signer 602, one transformation of signing party 
601 already mentioned, is any transformation that 

30 is believed at least not readily performed without 
the private key output of random source 604 and 
which cooperates with the challenge, response, and 
testing to be described. Naturally, as a kind of 
signature, the signer's output should be resistant to 

35 forgery by those without the signer's private key. 

Provider 605 is a source of original messages 
to be signed. Its particular nature is not essential to 
the invention, and any way to obtain messages for 
which undeniable signatures will be made is suit- 

40 able. Examples of messages requiring signatures 
known in the art include agreements, numbers with 
redundancy properties that encode value, blinded 
forms of digital pseudonyms, any sort of messages 
transferred between parties, etc. 

45 Blinder 606 cooperates with unblinder 608 and 

derives its blinding key from random source 607. 
The blinding and unbiinding function performed is 
to hide some message issued by the provider 605 
by at least making is substantially unrecognizable 

so to signer 602, and then to recover from the signa- 
ture returned by signer 602 what would have been 
the signature had the signer signed the original 
message. Furthermore, blinding, as is well known 
in the art and disclosed more fully in the referen- 

55 ces cited in the background of the invention, makes 
it substantially infeasible for the set of blinded 
messages to be linked to the set of unblinded 
messages. Of course it is the signer's lack of 
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knowledge about the particular outputs of the ran- 
dom source which is believed to make it substan- 
tially impossible, in the preferred embodiments, for 
the signer to link. This blinder 606, as well as the 
other two blinders 609 and 614 may use for exam- 
ple the embodiments of Fig. 4 or those of Fig. 5, 
and this may be mixed for the same or for different 
original messages. 

Blinder 609 blinds, as described above, a pair 
of values corresponding to a signed and unsigned 
form of a message. In this way, the pair can be 
tested, as will be described, without even the party 
performing the test knowing what the actual mes- 
sage bearing the signature is. Thus no correspond- 
ing unwinding is needed, as the unblinded form, 
may be retained by the provider 605. By issuing 
more than one pair of differently blinded forms of 
the same input pair, so called "re-blinding" as 
described in the unanticipated blind signature refer- 
ence may be realized. 

Checking party 611 already mentioned, com- 
prising a key source as well as challenge creation 
and response testing parts may, but need not, be a 
distinct party from provider 605 already described. 
(The checking party 611 is shown in Fig. 2 and 3 
as party V, which is the same symbolic name used 
for the provider and blinding parties in Fig. 1, 4, 
and 5, but such naming is only for clarity and does 
not imply that these parties are necessarily the 
same.) A signature may sometimes be verified 
immediately by the provider who has requested it, 
or it may be verified later by some third party who 
received it directly or indirectly and possibly in 
blinded form from the provider. The checking party 
performs a cryptographic protocol in effect with 
signing party 601, although there may be inter- 
mediate blinding and unblinding of messages by 
blinder 614 and unblinder 616 to be described, 
which might possibly be controlled by yet another 
party. While the exemplary embodiments show 
some particular preferred patterns of interaction 
between the checking party 611 and the responder 
603. any suitable protocol accomplishing the func- 
tion of distinguishing the three cases described 
earlier would be appropriate. Furthermore, the pre* 
ferred embodiments break the challenge and re- 
sponse sequence down into several parts, all or 
any of which could be combined (so long as for 
Fig. 3 the issue of the image under the one-way 
function, messages [32] and [37], precedes the 
receipt of the values needed by the signing parties 
checking, messages [33] and [38], and this pre- 
cedes the release of the pre-image under the one- 
way function by the signing party, messages [34] 
and [39]). The challenge is issued responsive, in 
the exemplary embodiments, to either the signed 
or unsigned form of the message and to the key 
from random source 613. 



Blinder 614 optionally blinds the challenge(s), 
responsive to random source 615, before it is re- 
ceived by the signing party. 

Responder 603 receives the possibly blinding 
s challenge(s) and issues corresponding response(s). 
Any sort of response or sequence of responses 
cooperating with and allowing the checking party to 
distinguish the three cases would be sufficient. In 
the preferred embodiments, these responses in- 
fo elude exponentiation to powers derived from pri- 
vate key source 604, as shown in detail in Fig. 2 
and 3. 

Unblinder 616, also responsive to key source 
615, unblinds the response. It cooperates with 

75 blinder 614 in keeping at least one of the signing 
party or the checking party from learning the actual 
messages issued and received by the other party. 

Tester 617, responsive to random source 613 
and challenger 612, tests the responses to the 

20 challenges in a way that allows it to distinguish 
between three cases: (a) the signed message val- 
idly corresponds to the unsigned message, (b) the 
signed message does not validly correspond to the 
signed message, and (c) the signer is responding 

25 to the challenges improperly. These possibilities 
are distinguished In Fig. 2 by the tests of boxes 
203 and 206, and in Fig. 3 by those of boxes 305 
and 310. Thus the output of the test may simply be 
an indication of which of the three cases is thought 

30 likely to hold. It should be pointed out that the first 
box for each figure mentioned along actually distin- 
guishes between case (a) and the other two cases 
taken together. Thus it might be suitably employed 
by the provider just after a signature is received, to 

35 determine whether it is in fact valid. The second 
box mentioned distinguishes between the remain- 
ing two cases. It need not be used if the first test is 
positive or when it is otherwise not needed to 
distinguish between cases (b) and (c). In fact, many 

40 applications may not distinguish between cases (b) 
and (c) for the vast majority of signatures, but it is 
anticipated that the possibility that they could be 
distinguished is what makes the applications viable. 
While not shown explicitly in Fig. 6 for clarity, it 

45 should be pointed out that the signing party 601 
may issue public key digital signatures authen- 
ticating its responses to inputs. Such digital signa- 
tures are well known in the art, and would include 
both the input and the corresponding output, possi- 

so bly all under a compressing one-way function or 
the like. When such a digital signature is shown to 
a third party, possibly along with the various ran- 
dom choices and messages used to construct the 
input, the third party. is able to authenticate the 

55 digital signature and test the input and output as 
would have been done by tester 617, as would be 
obvious to those of skill In the art and will be 
described in detail for some examples later. Thus. 
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such digital signatures might be obtained from the 
signing party and later provided to a third party so 
that the third party need not interact with the sign- 
ing party. This might save a third party, who trusts 
the signing party, from having to communicate with 
the signing party in order to check an undeniable 
signature. 

The particular choice of the group under which 
the exemplary embodiments may operate is not 
essential to the invention, however, for complete- 
ness various exemplary groups believed suitable 
will now be discussed along with their representa- 
tions and some relevant considerations. 

One general category of preferred exemplary 
embodiment would use a group of prime order. 
Such a group should preferably have a representa- 
tion for which the already mentioned discrete log 
problem is believed difficult to solve in practice and 
for which the group operation and exponentiation 
are readily performed. Several exemplary such 
groups are now described. 

One class of suitable groups, the multiplicative 
groups over GF(2 n ) where 2 n -1 is prime, Is quite 
well known in the art. A survey of the literature on 
cryptographic use of these and other suitable 
groups, entitled "Discrete logarithms in finite fields 
and their cryptographic significance," was pub- 
lished by A. Odlyzko in the proceedings of 
Eurocrypt 84, T. Beth, N. Cot, and I. Ingemarsson 
Eds., Springer 1985. 

A second and third exemplary class of suitable 
groups are defined based on the residue classes 
modulo a suitable large prime. It appears to be 
currently believed in the art that primes of sizes 
2 s 12 to 2 1000 for example may provide security 
quite adequate for many applications in practice, 
though the present invention should in general not 
be interpreted as limited to groups of any particular 
size, since it can be applied using groups of any 
size allowing the requisite computations to be per- 
formed. Apparatus and methods for performing the 
group operation and exponentiation for such groups 
are by now well known In the art and available from 
several vendors. 

For completeness, a few facts well known in 
the art will now be reviewed that might be em- 
ployed to advantage in realizing the present inven- 
tion efficiently in such groups. Primality tests of 
various types are quite well known in the art, which 
are capable of yielding primes of the required size. 
It is believed that, while proofs that there are in- 
finitely many primes q such that <M is twice a 
prime are not known, experimental results show 
that such primes seem to occur with substantially 
the density that might be expected for the sizes 
mentioned above. Thus a prime with this property 
may be created simply by trying random numbers 
of the desired size, discarding those that fail to 



pass a primality test, and then further requiring that 
half one less than a successful candidate also 
passes a primality test. 

A second preferred exemplary embodiment is 

5 based on the multiplicative group of . residue 
classes modulo g, with q-t = 2p and p a prime, 
whose least positive representatives are less than 
or equal to p. The group operation is ordinary 
multiplication modulo p, except that the result is 

10 normalized by taking either the product itself or its 
additive inverse, whichever has the smaller least 
positive representative. Thus, all integers between 

1 and p inclusive may be regarded as representing 
the members of the group, such membership being 

75 easy to check and such members being easy to 
map to from some original message space. 

A third preferred exemplary embodiment uses 
the group of squares modulo a prime q also such 
that (Q-1)/2 = p is prime. It is well known in the art 

20 that only elements in the group of squares modulo 
a prime have Jacobi symbol 1 modulo that prime. 
Efficient algorithms for determining the Jacobi 
symbol of such values are also well known in the 
art. Since half the residues modulo such a prime 

25 are squares modulo that prime, i.e. have Jacobi 
symbol 1 , it is a simple matter to find elements in 
the group of squares and to test elements for 
membership in that group. Another exemplary way 
to create an element that is known to be a square 

30 modulo q is simply to form the element as the 
square of any element modulo q. It is also well 
known that an element can be shown to be a 
square simply by showing its square root Since 
every element apart from 1 In the group of 

35 squares, or any group of prime order, generates 
the group of squares, the generator g can readily 
be taken to be the square of some public number, 
which allows everyone to verify that g is in the 
group of squares just by checking that it results 

40 from squaring its public square root and that it is 
not 1. 

The prime q and the generator g for this third 
exemplary embodiment can be readily created as 
described above in a way which allows anyone 

45 receiving them to verify that they have the proper 
form. Some applications may require an efficient 
way to map from say small integers to elements m 
suitable for signing. One way to accomplish this, 
suggested by M. 0. Rabin in "Digitalized signa- 

50 tures and public-key functions as intractable as 
factorization," which appeared as MIT technical 
report MlT/LCS/TR-212, January 1979. is to in ef- 
fect multiply the input number by a small power of 

2 and randomly change the low-order bits zeroed 
55 and test for membership in the group; if the test 

fails, simply replace the low order bits with ran- 
domly chosen bits and repeat until success. Other 
applications may only require that elements in the 
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group can be created;, for these, the squaring of 
random values mentioned above would be suffi- 
cient. Finally, participants should test that the num- 
bers they receive are in the group, which is also 
readily accomplished as already described. 

Another exemplary embodiment uses a group 
with a known subgroup of small order (possibly 
with unknown subgroups of larger, and preferably 
only much larger, order). For example, consider the 
group of residues modulo a prime q such that q-1 
is twice a prime, as already described. Instead of 
working with the group of squares or an isomorphic 
subgroup as already described, the entire group of 
residues could be used. The inequalities tested by 
V in the protocols of Fig. 2 and Fig. 3 (i.e. the last 
lines of boxes 203 and 305), are considered satis- 
fied exactly when either they are satisfied as writ- 
ten or when they would be satisfied were one 
comparand to (i.e. thing to be compared) be multi- 
plied by -1 . The certainty given by the tests of Fig. 

2 or Fig. 3 is believed to be essentially the same 
as that achieved with the group of squares of the 
same modulus. (For the blinding shown in Fig. 4 
under this arrangement, each output is multiplied 
by -1 or left unchanged by V, the choice depend- 
ing on an unbiased independent coin flip secret to 
V.) 

Yet another preferred exemplary embodiment 
works with a group which has arbitrary structure. 
Unlike the groups of public and prime order al- 
ready described, these groups may have an ar- 
bitrary group structure, and may even include 
many subgroups of small order. The group struc- 
ture need not be known to any participant, and all 
or part of it might even secretly or openly be 
known to some participants. Multiparty security is 
still achievable in such a setting. But since there 
may be subgroups of order 2, the protocols of Fig. 

3 in particular might have to be repeated j times to 
yield certainty of 1-/* 2 , since it is believed that 
each iteration would yield at least certainty of one- 
half. Naturally the 2 in the previous remark could 
be replaced by any known lower bound on the 
order of nontrivial subgroups. 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 



While it is believed that the notation of Figs. 1- 
5 would be clear to those of ordinary skill in the art, 
it is here reviewed for definiteness. 

The operations performed are collected togeth- 
er into flowchart boxes. The column that such a 
box is in indicates which party performs the opera- 
tion defined in that box. The columns are labeled 
by party name across the top. Some operations 



show how messages are formed on the right of the 
equal sign with the message number (shown in 
square brackets) on the left of the equal sign. The 
operation of a party saving a value under a sym- 

s bolic name is denoted in the same way as that of 
forming a message, except that the symbolic name 
appears on the left instead of a message number. 
Another kind of operation is test for equality and 
inequality; these are indicated by the symbols 

10 "7 = 7" ajruj "7*?" t respectively. The party perform- 
ing one of these tests within a protocol terminates 
the protocol when the condition is not satisfied; the 
protocol is stopped when the two comparands of 
an ? = ? differ or when the comparands of a ?*? 

15 are the same. Where the test is at the end of a 
protocol, the result of the protocol may be thought 
of as positive when the test would not have caused 
the protocol to terminate, and negative otherwise. 
The final kind of operation is that of sending a 

20 message. This Is shown by a message number on 
the left; followed by the recipient party's name and 
an arrow (these appear for readability as either a 
recipient name then left pointing arrow, when the 
recipient is on the left; or right pointing arrow then 

25 recipient name, when the recipient is on the right); 
followed by a colon; finally followed by an expres- 
sion fully denoting the actual value of the message 
that should be sent. Note that the values of some 
variables in such message expressions may not be 

30 known by the sender and others may be unknown 
to their recipient. 

Several ways to form expressions are used. 
One is just the word "random". This is used to 
mean that a value is preferably chosen substan- 

35 tially uniformly from an appropriate set, defined in 
the text, and substantially independently of every- 
thing else in the protocol. Thus a party should 
preferably employ a physical random number gen- 
erator for these purposes, but a variety of other 

40 techniques may be applied, as already described 
for boxes 604, 607, 610, 613, and 615. In practice, 
however, well known pseudo-random generator or 
hybrid techniques may be applied. Since the re- 
sults of these random expression are used as keys 

46 which should not be determinable by the other 
party to the protocol (at least until the creating 
party may choose to releases them), the random 
generation must be substantially unpredictable to 
an adversary. The function f is preferably a 

so publicly-agreed one-way function, such functions 
being well know in the art. 

When no operation is shown explicitly, the 
group operation referred to here as multiplication is 
assumed. Another kind of expression involves ex- 

55 ponents which denote raising to powers in the 
group. The well known convention is adopted here 
that operations in the base are group operations 
and that arithmetic in the exponent Is modulo the 
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order of the group. But parties need not actually 
know the order of the group, in all but one optional 
case mentioned later, since parties can simply use 
natural number arithmetic in the exponent. Also, 
when a random value, as mentioned above, is to 
be created for use in the exponent, its distribution 
can be made very close to uniform, even when the 
order of the group is not known: the exponent is 
chosen say uniformly from 1 to say the square of 
an upper bound on the order of the group. 

For clarity in exposition and concreteness, 
however, the preferred embodiments will be pre- 
sented here in terms of the multiplicative group of 
order prime p. As has already been mentioned, the 
scope of the present invention should not be con- 
sidered to be limited to any particular group, and 
the present detailed description could readily be 
translated by someone of ordinary skill in the art to 
any suitable group. 

Turning now to Fig. 1, the first flowchart for 
part of the preferred embodiment will now be de- 
scribed in detail. This part shows public key creat- 
ing and issuing, which need only be carried out 
once by the signer party S, and also the forming of 
a single undeniable signature for party V. 

Flowchart box 101 shows S choosing x uni- 
formly and at random from the interval 1 to p-1, 
such random selection as already mentioned. Then 
S raises g to the x*th power modulo p, such 
exponentiation already having been described and 
well known in the art. The resulting residue is then 
called message [10]. As per the definition of the 
notation already described, message [10] is then 
shown as being sent from S to V. This completes 
the creating and issuing of a public key by S. 

Box 102 indicates that after receiving the pub- 
lic key as message [10], V sends an original mes- 
sage m for signing to S as message [11], For the 
purposes of the present invention the nature or 
source of m is not essential and it may be re- 
garded as any suitable message (or blinded mes- 
sage, as has already been mentioned and will be 
mentioned in detail later). 

Box 103 shows how, after receiving message 
[11], S first forms a signature from it by raising it to 
the secret power x. The exponentiation is done in 
this particular exemplary embodiment, as already 
mentioned, in the group of order p. Finally, the 
signature denoted as message [1 2] is shown being 
sent by S to V, who would ordinarily receive it and 
retain it for possible later use in one of the other 
protocol parts. 

It may be pointed out here that if an ordinary 
digital signature is formed by S on the pair com- 
prising message [11] and message [12], sig (f (- 
[11], [12])), and this is later shown to a third party 
who trusts S, then the third party is able to deter- 
mine that [12] is a valid undeniable signature of 



[11]. 

Turning now to Fig. 2, the second flowchart for 
part of a preferred embodiment will now be de- 
scribed in detail. This part shows a first exemplary 

5 arrangement for the checking of an undeniable 
signature, the issuing of which has just been shown 
in detail in Fig. 1. 

Box 201 shows how V prepares the initial chal- 
lenge and sends it to S. First a and b are chosen 

w substantially independently and uniformly at ran- 
dom from 1 to p (or in some other suitable way 
when the order of the group is not known to V, as 
has already been mentioned). Then message [21] 
is formed as the product (in the group, as already 

rs mentioned) of message [12] raised to the power a 
and message [10] raised to the power b. This 
message Is then sent by V to S, and should have 
the form shown in the last line of this box. (But 
since V does not know x, this is an example of the 

20 comment made earlier that neither party acting 
alone need be able to determine the value of all 
variables of such expressions.) 

Box 202 is the formation and return of S's 
response to the challenge received from V. The 

25 multiplicative inverse of x modulo the order of the 
group is shown in the usual way in the exponent of 
message [21], to produce message [22]. Thus, 
message [22] is shown as being obtained by ap- 
plying the inverse of the signing function to the 

30 message [21]. (A protocol not requiring that the 
order be known is shown in Fig. 3, to be described 
in detail.) The resulting message [22] should be of 
the form shown, m*cf, and is shown as being 
supplied to V. 

35 Box 203 shows the checking of the response 

[22] received from S by V. First V uses the values 
of m, g, a.and b known to V to construct the value 
that should have been returned by S in case the 
signature was valid." This is done by raising m to 

40 the power a and multiplying the result by g raised 
to the power PThen V simply compares the vaiue 
constructed with that received from S in message 
[22]. If they are equal, then V stops the protocol, as 
called for by the definition of the symbol ?*? given 

45 above. In this case, V knows that [12] is with high 
certainty the signature of m corresponding to pub- 
lic key [10]. In the remaining case, that the inequal- 
ity holds, V continues the protocol with the knowl- 
edge that either (a) [12] is not the proper signature 

so or (b) S is trying to improperly deny the signature. 
The rest of this flowchart allows V to distinguish 
between these two subcases. 

Box 204 is similar to 201 except that c and d 
are used instead of a and b. First c and d are 

55 created by the random expression already de- 
scribed so that they are suitable secret exponents. 
Then message [24] is formed as the product of 
message [12] raised to the c power times message 
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[10] raised to the d power. Finally, message [24] is 
sent by V to S. 

Box 205 is again similar to its predecessor, box 
202, and in fact the operations performed by S are 
the same. The only difference is that the input is 
message (24] instead of [21] and the output is [25] 
instead of [22]. One consequence of this is that S 
need not know which of these two steps in the 
protocol is being performed. 

Box 206 shows the final test made by V based 
on the messages [22] and [25] received from S. 
The test shown is made by comparing the equality 
of two essentially similarly constructed quantities. 
The first is the product of message [22] and g 
raised to the -6 power, all raised to the c power; 
the second is message [25] times g to the -d 
power all to the a power. Notice that the negative 
exponents on g need not mean that V must com- 
pute multiplicative inverses, since the multiplicative 
inverse of g could have been made public by some 
other party. As should be obvious to those of skill 
in the art, however, the comparison can be made in 
practice without needing multiplicative inverses. 
There are two cases: if be > da, test [22] c ? = ? 
[25] a g bc " rfa or if be S da, test [22]°^^ ? = ? [25] a . 
Regardless of how the test is made, if the equality 
holds, then S is with high probability behaving 
honestly and [12] is not a valid signature; if the 
equality does not hold, then S is believed to be 
behaving improperly. 

Again the possibility of an ordinary digital 
siganture on the transaction by S is considered. It 
might in this case contain message [21] and mes- 
sage [22] and cold be denoted: sig(/ ([21], [22])). 
The third party would be supplied this digital signa- 
ture, m [12], a. and b by V, and would check the 
validity of the undeniable signature by checking 
that the digital signature is valid, [21] ? = ? [12]* - 
[10] 6 , and [22] ? = ? mV- Such testing may be 
considered to be shown in Fig. 2, since essentially 
the same operations are performed by V. 

Turning now to Fig. 3, the third flowchart for 
part of a preferred embodiment will now be de- 
scribed in detail. This part shows a second al- 
ternate arrangement for the checking of an undeni- 
able signature, the issuing of which has already 
been shown in detail in Fig. 1 . 

Box 301 is similar to box 201 in that a first 
challenge is created based on two randomly gen- 
erated exponents, called again here a and b. Thus, 
V chooses these two exponents substantially in- 
dependently and uniformly, and keeps them secret. 
What V sends to S in message [31] is the product 
of m raised to the a and g raised to the fc. Notice 
that since ail of these values are known to V, the 
explicit construction of the message is omitted 
from the flowchart and its value is shown in the line 
for the sending of the message only. 



Box 302 entails S raising the received mes- 
sage [31] to the x power and then applying the 
one-way function f to the result. This image under 
the one-way function is what is returned to V by S 

5 in message [32]. 

Box 303 merely indicates that after receiving 
message [32] from S, V forwards m, a, and b 
individually to S in messages [33.1], [33.2], and 
[33.3], respectively. 

10 Box 304 first shows how S tests that all the 

messages received from V during this part of the 
protocol— [31], [33.1], [33.2], and [33.3]— are mutu- 
ally consistent This is accomplished by testing the 
equality of [31] with the result of reconstructing its 

75 value from the others. The reconstruction is accom- 
plished by forming the product of [33.1] raised to 
the [33.2] with g raised to the [33.3]. If the equality 
is not satisfied, S stops the protocol, as per the 
definition of the notation, and knows that V has 

20 been supplying improper messages. If the equality 
is satisfied, S returns to V message [31] raised to 
the secret power x in the form of message [34]. 

Box 305 shows two tests by V, The first checks 
that [34] really is the inverse image of [32] under f. 

25 If this test fails, then V stops the protocol knowing 
that S was supplying improper messages. Other- 
wise V makes a test similar in intention and form to 
that of box 203. Message [34] is tested for inequal- 
ity with the product of message [12] raised to the 

30 power a and message [10] raised to the power b. If 
they are equal, then V stops the protocol and 
knows that with high probability [12] is indeed the 
signature of m corresponding to public key [10], In 
case the inequality does hold, V continues the 

35 protocol but with the knowledge that either (a) [12] 
is not the proper signature of (b) S has tried to 
improperly deny the signature. And as with Fig. 2, 
the remaining part of this flowchart allows V to 
distinguish between these two subcases. 

40 Box 306 is similar to box 204 in that a second 

challenge is created based on two randomly gen- 
erated exponents, called again here c and d t but 
they are combined into the challenge in the style of 
301. That is [36] is formed as the product of m 

45 raised to the c times g raised to the d, and it is 
supplied by V to S. 

Box 307 shows S raising the received message 
[36] to the x power and then applying the one-way 
function f to the result This image under the one- 

so way function is what is returned to V by S in 
message [37]. 

Box 308 denotes that after receiving message 
[37] from S, V sends a and b individually to S in 
messages [38.1] and [38.2], respectively. 

55 Box 309 first shows how S tests the mutual 

consistency of messages [36], [33.1], [38.1], and 
[38.2] received from V. This is accomplished by 
testing the equality of [36] and the product of [33.1] 
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4. « 

raised to the [38.1] times g raised to the [38.2], if 
the equality is not satisfied, S stops the protocol 
knowing that V has 'been supplying improper mes- 
sages. If the equality is satisfied, S supplies V with 
message [36] raised to the power x called mes- 
sage [39]. 

Box 310 shows two tests by V. The first checks 
that [39] is the inverse image of [37] under A If this 
is not so, then V stops the protocol knowing that S 
was supplying improper messages. The second 
tests messages [34] and [39] received from S. The 
test shown compares the equality of two values. 
The first value is the product of message [34] and 
g raised to the -d power, ail raised to the c power; 
the second is message [39] times g to the ~d 
power all to the a power. Again, as should be 
obvious to those of skill in the art, the comparison 
can be made in practice without computing mul- 
tiplicative inverses. There are two cases: if be > 
da, test [34] c ? = ? [39]*^°"** or if be £ da, test 
[34] c g da - <>c ? = ? [39] fl . No matter how the test is 
made, if the equality holds, then S is with high 
probability behaving honestly and [12] is not a valid 
signature; if the equality does not hold, then S is 
believed certainly to be performing improperly. 

A digital signature issued for this protocol by S 
need include only messages [31] and [34], and 
would thus be of the form: sig( / ([31], [34])). The 
third party would additionally be supplied m t [12], 
a, and b by V, and would check the validity of the 
undeniable signature by checking that the digital 
siganture is valid, [31] ? = ? m* g* and [34] ? = ? 
[12] a [10] 6 . Such testing again may be considered 
to be shown in Fig. 3, since it entails essentially 
the same operations already shown as performed 
by V. 

Turning now to Fig. 4, the fourth flowchart for 
part of the preferred embodiment will now be de- 
scribed in detail. This part shows one kind of 
blinding, called "exponential blinding", of a mes- 
sage by party V, raising the result to a secret 
power by S, and unblinding of the returned mes- 
sage by V. As will be obvious to those of ordinary 
skill in the art, and will be described later in detail, 
these operations are generic: blinding could be 
performed by V on any message before it is raised 
to a secret power by S, and the result returned by 
S could be unblinded. In particular, it could be 
applied to all three Windings and unbiindings 
shown in Fig. 6, i.e. 606 and 608; 609 alone; or 614 
and 616. 

Box 401 shows how V blinds message u and 
sends it to S. First V chooses r independently and 
uniformly from 1 to p»1. Then V raises u to the 
power rto form message [41], which V sends to S. 

Box 402 shows receipt of message [41] by S 
and its transformation and subsequent return to V. 
To make the transformation. S raises message [41] 



to the secret power y the result is supplied to V as 
message [42]. 

Box 403 shows the unblinding of the blinded 
message received by V. The multiplicative inverse 

5 of r modulo the order of the group is applied as an 
exponent to the message [42] received from S, and 
the result is shown as message [43]. For clarity, 
the last line of box 403 shows parenthetically that 
the value of message [43] should be u raised to 

io the y power. 

Box 404 shows the optional creation of another 
secret blinding key f, and its use in rebiinding the 
message of u. First t Is created at random as r 
was. Then message [44] is formed as u raised to 

re the power f. Message [45] is shown as being 
created by raising message [43] to the f power. 
For clarity, the last line of box 404 again shows 
parenthetically that the value of message [45] 
should be u raised to the power yt 

20 Some specific examples will now be presented 
so that some exemplary embodiments of the ge- 
neric exponential blinding and unblinding oper- 
ations just described in detail may be more fully 
appreciated. In Fig. 1, message [11] could be 

25 blinded by V before being sent to S for signing (i.e. 
y m 1/x), and the resulting message [12] could be 
unblinded by V before it is used in Fig. 2, as is 
shown by blinder 606 and unblinder 608 already 
described. Message [31] could also be blinded 

30 before being sent to S in the testing of Fig. 3 (y = 
x), and the returned message [34] could be unblin- 
ded before being tested, as shown by blinder 614 
and unblinder 616; the blinding of message [36] 
and the testing of the returned message [39] would 

35 of course be essentially the same. When the same 
operations are applied for Fig. 2, it will be obvious 
to those of ordinary skill in the art that the expo- 
nent used in boxes 401 and 403 would be ex- 
changed (with y = 1/x) if they are to serve as 606 

40 and 608, respectively. Notice that messages [44] 
and [45] could be regarded as the unsigned and 
signed form, respectively, of a single blinded mes- 
sage, such as might be used as input to challenger 
612, for either Fig. 2 or Fig. 3. 

45 As would be obvious to those of ordinary skill 

in the art, the blinding of various messages can be 
superimposed, to give for example double blinding 
as disclosed in the application entitled "blind signa- 
ture systems," by the present applicant, already 

so mentioned in the description of the prior art. So 
called "re-blinding" was disclosed for the unan- 
ticipated blind signature system already referenced 
in the description of the prior art. For the present 
invention, a kind of re-blinding is also possible. The 

65 result of re-blinding is a pair comprising a blinded 
message and a blinded signature of that message. 
These could then be used in the protocol of Fig. 2 
as just described. Some other protocol, such as 
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that disclosed by Chaum and Evertse in "A secure 
and privacy-protecting protocol for transmitting per- 
sonal information between organizations ", Proceed- 
ings of Crypto 86. A. Odlyzko Ed*, Springer 1987, 
might be used to show that these re-blinded mes- 
sages are related to some other messages in a 
desired way, and the protocol of Fig. 2 for instance 
used to show that one member of the pair is in fact 
a signature on the other member. 

Ordinary digital sigantures could be used here 
again to allow a third party to check a transaction 
that is blinded in the way shown in Fig. 5. In 
addition to the other data already described in 
detail for Fig. 1-3, the exponent r must also be 
provided to the third party to allow checking. Then 
the third party performs the checks as already 
described, except that the expression correspond- 
ing to the input to S must be raised to the r power 
and the multiplicative inverse of r modulo p must 
be applied to the expression for the output of S, as 
would be obvious to those of skill in the art. 

Turning now to Fig. 5, the fifth flowchart for 
part of the preferred embodiment will now be de- 
scribed in detail. This part shows another kind of 
blinding, related to the "blinding for unanticipated 
signatures" already referenced in the background 
of the invention, in which a message is blinded by 
V, the result is raised by S to a secret power y, 
and the returned message is unblinded by V. 

Box 501 shows how V blinds message m and 
sends it to S. First V chooses r independently and 
uniformly from 1 to p-1. Then V raises g to the 
power r and multiplies the result with m to form 
message [51], which V sends to S. 

Box 502 shows receipt of message [51] by S 
and its signing and subsequent return to V. To 
make the signature, S raises message [51] to the 
secret power y, the result is supplied to V as 
message [52], 

Box 503 shows the unblinding of the signed 
blinded message received by V. The multiplicative 
inverse of message [10] raised to the r is first 
formed. Then this is multiplied with message [52] 
received from S, and the result is shown as mes- 
sage [53]. Again for clarity, the last line of box 503 
shows parenthetically that message [53] should 
have the value m raised to the y power. 

Box 504 shows the optional creation of another 
secret blinding key t t and its use in re-blinding the 
message m. First f is created at random as r was. 
Then message [54] is formed as m times g to the 
power t Message [55]- is shown as being created 
by raising message [10] to the f power and mul- 
tiplying the result by message [53]. For clarity, the 
last line of box 504 again shows parenthetically that 
the value of message [55] should be m raised to 
the power f times g raised to the power yf. It 
should be pointed out that the forming of message 



[55] has been shown for clarity only in the case 
when x = y, but, as would be obvious to those of 
skill in the art, in the case when y = 1/x message 
[55] would not be formed from message [10], but 

5 would rather be formed from the analog of mes- 
sage [10] that contains the value g 1 *. Notice that 
messages [54] and [55] could again be regarded 
as the unsigned and signed form, respectively, of a 
single blinded message. 

70 As an example use of such unanticipated sig- 
nature techniques adapted to this setting, the sign- 
ing operation of Fig. 1 might be performed so as to 
yield V an undeniable signature unllnkable by S. 
That Is, if a plurality of such signatures are ob- 

75 tained with independent r*s, then S should be un- 
able to determine anything about which signature 
corresponds with which instance of the signing 
process. The pair comprising a blinded message 
and a blinded signature of that message used in 

20 re-blindning has already been shown in box 504, 
and the comments already made for box 404 could 
apply to this box as well. 

Some specific examples will now be presented 
so that some exemplary embodiments of the ge- 

25 neric unanticipated signature blinding and unblin- 
ding operations just described in detail may be 
more fully appreciated. In Fig. 1, message [11] 
could be blinded by V before being sent to S for 
signing 0.e. V - *). and the resulting message [12] 

30 could be unblinded by V before it is used in Rg. 2, 
as is shown by blinder 606 and unblinder 608 
already described. Message [31] could also be 
blinded before being sent to S in the testing of Fig. 
3 (y - x), and the returned message [34] could be 

35 unblinded before being tested, as shown by blinder 
614 and unblinder 616; the blinding of message 
[36] and the testing of the returned message [39] 
would of course be essentially the same. When the 
same operations are applied for Rg. 2, it will be 

40 obvious to those of skill in the art that the exponent 
used in boxes 501 and 503 would be exchanged 
(with y = 1/x ) if they are to serve as 606 and 608, 
respectively. Notice that messages [54] and [55] 
could be regarded as the unsigned and signed 

45 form, respectively, of a single blinded message, 
such as might be used as input to challenger 612, 
for either Rg. 2 or Fig. 3. 

Ordinary digital sigantures could again be used 
to allow a third party to check a transaction that is 

so blinded in the way shown in Fig. 5. In addition to 
the other data already described in detail for Fig. 1- 
3. the exponent r must also be provided to the third 
party to aliow checking. Then the third party per- 
forms the checks as already described, except that 

55 the blinding factor must be included in the 
expression corresponding to the input to S and 
[10]* r must be included in the expression for the 
output of S. 
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As again would be obvious to those of ordinary 
skill in the art, the blinding of various messages 
can be superimposed to give double blinding as 
already mentioned and re-blinding is also possible 
as already described during the detailed descrip- 
tion for Fig. 4. 

Another variation that would be obvious to 
those of ordinary skill in the art would involve plural 
original message parts in a signature. The signa- 
ture would consist of the product of each such 
message part raised to a different power. The 
challenge would contain a separate message cor- 
responding to each part of a signature. The re- 
sponse would be the product of all such messages 
of a challenge, each having the exponent cor- 
responding to the corresponding message part. 

A further and not necessarily mutually exclu- 
sive use anticipated would be to include more than 
two terms in a challenge message. With such an 
arrangement the mutual consistency of more than 
two message/signature pairs couid be tested while 
keeping some of the message and processing 
costs the same. Different random exponents could 
be used on each term, but if there were sufficiently 
many terms, it is anticipated that various possibly 
randomly chosen combinations of possibly smaller 
exponents might be used. 

While these descriptions of the present inven- 
tion have been given as examples, it will be appre- 
ciated by those of ordinary skill in the art that 
various modifications, alternate configurations and 
equivalents may be employed without departing 
form the spirit and scope of the present'invention. 



Claims 

1. A cryptographic method for forming and 
checking undeniable signatures based on the issu- 
ance of a public key by a signing party where the 
signatures are called "undeniable" because they 
can be verified in a protocol between a checking 
party and the signing party in which the signing 
party is unable to conduct the protocol improperly 
so as to "deny" the validity of a valid signature 
without there being at least a substantially high 
probability that the verifying party will leam that the 
signing party is conducting the protocol .improperly, 
the method comprising the steps of: 
creating a public key and a corresponding private 
key by a signing party and providing the public key 
to at least a checking party; 
supplying an unsigned message by a provider par- 
ty to said signing party; 

forming an undeniable signature on said unsigned 
message received by said signing party, at least 
responsive to said private key corresponding to 
said public key, and returning the resulting undeni- 



ably signed message to said provider party; 
forming at least one challenge, by a checking par- 
ty, responsive to a challenge key substantially at 
least temporarily unknown to said signing party and 
5 responsive to at least one member of the pair 
comprising said undeniably signed message and 
said unsigned message, and supplying said chal- 
lenge to said signing party; 

transforming at least one said challenge received 

io by said signing party at least partially responsive to 
said private key and returning the result as a re- 
sponse to said checking party; and 
checking at least one said response received by 
said checking party responsive both to said chal- 

75 lenge key and to at least the other member of said 
pair comprising said undeniably signed message 
and said unsigned message, so as to give substan- 
tially high certainty in distinguishing between the 
three cases (a) that the purported undeniably 

20 signed message is a valid undeniable signature 
corresponding both to said public key and to said 
unsigned message, (b) that the purported undeni- 
ably signed message is not a valid undeniable 
signature corresponding both to said public key 

25 and to said unsigned message, and (c) that the 
response by the signing party is an improper re- 
sponse. 

2. The method of claim 1 , wherein said signing 
step includes raising said unsigned message to a 

30 secret signing power derived from said private key, 
such exponentiation being performed in a finite 
structure where it is defined. 

3. the method of claim 2, wherein: 

at least part of said challenge is formed responsive 
35 to at least two undeniably signed messages by 
raising them to powers derived from said challenge 
key; 

at least part of said response is formed by raising 
at least part of said challenge to a power acting as 

40 an inverse of said secret signing power; and 

said checking is performed at least in part by 
raising the at least two unsigned messages cor- 
responding to said at least two undeniably signed 
messages to powers derived from said challenge 

45 key. 

4. The method of claim 2, wherein: 

at least part of said challenge is formed responsive 
to at least two unsigned messages by raising them 
to powers derived from said challenge key; 
so at least part of said response is formed by raising 
at least part of said challenge to said secret signing 
power; and 

said checking is performed at least in part by 
raising the at least two undeniably signed mes- 
55 sages corresponding to said at least two unsigned 
. messages to powers derived from said secret chal- 
lenge key. 
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5. The method as ip claim 1, further comprising 
the steps of: 

blinding said unsigned message responsive to a 
blinding key before providing the resulting blinded 
unsigned message to said signing party in place of 
said unsigned message; and 
unblinding said undeniably signed message re- 
turned by said signing party responsive to said 
blinding key. 

6. The method as in claim 1, further comprising 
the steps of: 

blinding, responsive to a blinding key, said undeni- 
ably signed message and also said corresponding 
unsigned message; and 

using said blinded undeniably signed and said 
blinded unsigned messages in place of said un- 
deniably signed and said unsigned messages, re- 
spectively, by said checking party in forming said 
challenge and in checking said response. 

7. The method as in claim 1, further comprising 
the steps of: 

blinding, responsive to a blinding key, at least part 
of one of said challenge and said response; and 
unblinding, responsive to said blinding key, at least 
part of the other one of said challenge and said 
response. 

8. The method of claims 5, 6, or 7 wherein: 
said signing step includes raising said unsigned 
message to a secret signing power derived from 
said private key, such exponentiation being per- 
formed in a finite structure where it is defined; 
said blinding step includes the operation of raising 
the message to be blinded to a power derived from 
said blinding key; and 

said unblinding step includes raising the message 
to be unblinded to a power that acts as an inverse 
operation to that of said blinding operation. 

9. The method of claims 5, 6, or 7 wherein: 
said signing step includes raising said unsigned 
message to a secret signing power derived from 
said private key, such exponentiation being per- 
formed in a finite structure where it is defined; 
said blinding step includes forming a product of at 
least a first message which is raised to a blinding 
power derived from said blinding key times at least 
a second message to be blinded; and 

said unblinding step includes forming a product of 
the multiplicative inverse of the undeniably signed 
form of said first message raised to the blinding 
power times said second message. 

10. The method of claims 1, 2, 3, or 4 including 
the steps of: 

issuing a public key digital signature by said sign- 
ing party responsive to at least one said challenge 
and one said response; and 
checking said public key digital signature. 



11. Apparatus for forming and checking un- 
deniable signatures based on the issuance of a 
public key by a signing party where the signatures 
are called "undeniable" because they can be veri- 

5 fied by means for forming and transferring mes- 
sages between a checking party and the signing 
party in which the signing party is unable to con- 
duct the transfers improperly so as to "deny" the 
validity of a valid signature without there being at 

io least a substantially high probability that the verify- 
ing party will detect that the signing party is con- 
ducting the protocol improperly, the apparatus 
comprising: 

means for creating a public key and a correspond- 
75 ing private key by a signing party and for providing 
the public key to at least a checking party; 
means for supplying an unsigned message by a 
provider party to said signing party; 
means for forming an undeniable signature on said 
20 unsigned message received by said signing party, 
at least responsive to said private key correspond- 
ing to said public key. and for returning the result- 
ing undeniably signed message to said provider 
party; 

25 means for forming at least one challenge, by a 
checking party, responsive to a challenge key sub- 
stantially at least temporarily unknown to said sign- 
ing party and responsive to at least one member of 
the pair comprising said undeniably signed mes- 

30 sage and said unsigned message, and for sup- 
plying said challenge to said signing party; 
means for transforming at least one said challenge 
received by said signing party at least partially 
responsive to said private key and for returning the 

35 result as a response to said checking party; and 
means for checking at least one said response 
received by said checking party responsive both to 
said challenge key and to at least the other mem- 
ber of said pair comprising said undeniably signed 

40 message and said unsigned message, so as to 
give substantially high certainty in distinguishing 
between the three cases (a) that the purported 
undeniably signed message is a valid undeniable 
signature corresponding both to said public key 

45 and to said unsigned message, (b) that the pur- 
ported undeniably signed message is not a valid 
undeniable signature corresponding both to said 
public key and to said unsigned message, and (c) 
that the response by the signing party Is an im- 

50 proper response. 

12. Apparatus as in claim 11, wherein said 
signing means includes means for raising said un- 
signed message to a secret signing power derived 
from said private key, such exponentiation being 

55 performed in a finite structure where it is defined. 

13. Apparatus as in claim 12, wherein: 

at least part of said challenge is formed responsive 
to at least two undeniably signed messages by 

14 



27 



EP 0 318 097 A1 



28 



means for raising them to powers derived from 
said challenge key; 

at least part of said Response is formed by means 
for raising at least part of said challenge to a power 
acting as an inverse of said secret signing power; 
and 

said checking is performed at least in part by 
means for raising the at least two unsigned mes- 
sages corresponding to said at least two undeni- 
ably signed messages to powers derived from said 
challenge key. 

14. Apparatus as in claim 12, wherein; 

at least part of said challenge is formed responsive 
to at least two unsigned messages by means for 
raising them to powers derived from said challenge 
key; 

at least part of said response is formed by means 
for raising at least part of said challenge to said 
secret signing power; and 

said means for checking includes at least means 
for raising the at least two undeniably signed mes- 
sages corresponding to said at least two unsigned 
messages to powers derived from said secret chal- 
lenge key. 

15. Apparatus as in claim 11, further compris- 
ing; 

means for blinding said unsigned message respon- 
sive to a blinding key before the resulting biinded 
unsigned message is provided to said signing party 
in place of said unsigned message; and 
means for unblinding said undeniably signed mes- 
sage returned by said signing party responsive to 
said blinding key. 

16. Apparatus as in claim 11, further compris- 
ing; 

means for blinding, responsive to a blinding key, 
said undeniably signed message and also for blin- 
ding said corresponding unsigned message; and 
means for using said blinded undeniably signed 
and said blinded unsigned messages in place of 
said undeniably signed and said unsigned mes- 
sages, respectively, by said checking party in said 
means for forming said challenge and for checking 
said response. 

17. Apparatus as in claim 11, further compris- 
ing: 

means for blinding, responsive to a blinding key, at 
least part of one of said challenge and said re- 
sponse; and 

means for unblinding, responsive to said blinding 
key, at least part of the other one of said challenge 
and said response. 

18. Apparatus as in claims 15, 16, or 17 
wherein: 

said means for signing includes means for raising 
said unsigned message to a secret signing power 
derived from said private key, such exponentiation 
being performed in a finite structure where it is 



defined; 

said means for blinding includes means for raising 
the message to be blinded to a power derived from 
said blinding key; and 
s said means for unblinding includes means for rais- 
ing the message to be unblinded to a power that 
acts as an inverse operation to that of said blinding 
operation. 

19. Apparatus as in claims 15, 16, or 17 

10 wherein: 

said means for signing includes means for raising 
said unsigned message to a secret signing power 
derived from said private key, such exponentiation 
being performed in a finite structure where it is 

is defined; 

said means for blinding includes means for forming 
a product of at least a first message raised to a 
blinding power that is derived from said blinding 
key times at least a second message to be blind- 

20 ed; and 

said unblinding means includes means for forming 
a product of the multiplicative inverse of the un- 
deniably signed form of said first message raised 
to the blinding power times said second message. 
25 20. Apparatus as in claims 11, 12, 13, or 14 
including: 

means for issuing a public key digital signature by 
said signing party responsive to at least one said 
challenge and one said response; and 
so means for checking said public key digital signa- 
ture. 
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